diff --git a/system/options.nix b/system/options.nix index cb50cf7f6e0..d8c390934ce 100644 --- a/system/options.nix +++ b/system/options.nix @@ -487,6 +487,7 @@ in (import ../upstart-jobs/tty-backgrounds.nix) (import ../upstart-jobs/synergy.nix) + (import ../upstart-jobs/openvpn.nix) (import ../upstart-jobs/nfs-kernel.nix) (import ../upstart-jobs/autofs.nix) diff --git a/upstart-jobs/openvpn.nix b/upstart-jobs/openvpn.nix new file mode 100644 index 00000000000..1e1edff902c --- /dev/null +++ b/upstart-jobs/openvpn.nix @@ -0,0 +1,130 @@ + +{pkgs, config, ...}: + +###### interface +let + inherit (pkgs.lib) mkOption mkIf; + + options = { + services = { + openvpn = { + enable = mkOption { + default = false; + description = " + Whether to enable the Secure Shell daemon, which allows secure + remote logins. + "; + }; + servers = mkOption { + example = [ + { + id = "server-simplest"; + config = '' + # Most simple configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html. + # server : + dev tun + ifconfig 10.8.0.1 10.8.0.2 + secret static.key + ''; + up = "ip route add ..!"; + down = "ip route add ..!"; + } + { + id = "client-simplest"; + config = '' + #client: + #remote myremote.mydomain + #dev tun + #ifconfig 10.8.0.2 10.8.0.1 + #secret static.key + ''; + } + { + id = "server-scalable"; + config = '' + multiple clienst + see example file found in http://openvpn.net/index.php/documentation/howto.html + ''; + } + { + id = "client-scalabe"; + config = '' dito ''; + } + ]; + default = []; + description = '' + openvpn instances to be run. Each will be put into an extra job named openvpn-{id} + + The up and down properties will be added config line up=/nix/store/xxx-up-script + automatically for you. If you define at least one of up/down + "script-security 2" will be prepended to your config. + + Don't forget to check that the all package sizes can be sent. if scp hangs or such you should set + --fragment XXX --mssfix YYY. + ''; + }; + }; + }; + }; + +###### implementation + + cfg = config.services.openvpn; + + inherit (pkgs) openvpn; + inherit (builtins) hasAttr; + + PATH="${pkgs.iptables}/sbin:${pkgs.coreutils}/bin:${pkgs.iproute}/sbin:${pkgs.nettools}/sbin"; + + makeOpenVPNJob = cfg : + let + upScript = '' + #!/bin/sh + exec &> /var/log/openvpn-${cfg.id}-up + PATH=${PATH} + ${cfg.up} + ''; + downScript = '' + #!/bin/sh + exec &> /var/log/openvpn-${cfg.id}-down + PATH=${PATH} + ${cfg.down} + ''; + configFile = pkgs.writeText "openvpn-config-${cfg.id}" '' + ${if hasAttr "up" cfg || hasAttr "down" cfg then "script-security 2" else ""} + ${cfg.config} + ${if hasAttr "up" cfg then "up ${pkgs.writeScript "openvpn-${cfg.id}-up" upScript}" else "" } + ${if hasAttr "down" cfg then "down ${pkgs.writeScript "openvpn-${cfg.id}-down" downScript}" else "" } + ''; + in { + name = "openvpn-${cfg.id}"; + + job = '' + description "OpenVPN-${cfg.id}" + + start on network-interfaces/started + stop on network-interfaces/stop + + + PATH=${pkgs.coreutils}/bin + + respawn + script + exec &> /var/log/openvpn-${cfg.id} + ${openvpn}/sbin/openvpn --config ${configFile} + end script + ''; + }; + +in + + +mkIf cfg.enable { + require = [ + options + ]; + + services = { + extraJobs = map makeOpenVPNJob cfg.servers; + }; +}